From f1028367d7dbfb722ad1a5f2525d66e0775f479d Mon Sep 17 00:00:00 2001 From: Yogesh Gaikwad <902768+bizybot@users.noreply.github.com> Date: Mon, 6 Aug 2018 23:51:43 +1000 Subject: [PATCH] [Kerberos] Use canonical host name (#32588) The Apache Http components support for Spnego scheme uses canonical name by default. Also when resolving host name, on centos by default there are other aliases so adding them to the DelegationPermission. Closes#32498 --- x-pack/qa/kerberos-tests/build.gradle | 2 +- .../security/authc/kerberos/KerberosAuthenticationIT.java | 2 +- .../kerberos-tests/src/test/resources/plugin-security.policy | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/x-pack/qa/kerberos-tests/build.gradle b/x-pack/qa/kerberos-tests/build.gradle index 7138b93051226..59667d9ee7809 100644 --- a/x-pack/qa/kerberos-tests/build.gradle +++ b/x-pack/qa/kerberos-tests/build.gradle @@ -41,7 +41,7 @@ Object httpPrincipal = new Object() { @Override String toString() { InetAddress resolvedAddress = InetAddress.getByName('127.0.0.1') - return "HTTP/" + resolvedAddress.getHostName() + return "HTTP/" + resolvedAddress.getCanonicalHostName() } } diff --git a/x-pack/qa/kerberos-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosAuthenticationIT.java b/x-pack/qa/kerberos-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosAuthenticationIT.java index ed9f4fbe38d5a..b6ebfde20799f 100644 --- a/x-pack/qa/kerberos-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosAuthenticationIT.java +++ b/x-pack/qa/kerberos-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosAuthenticationIT.java @@ -112,7 +112,7 @@ public void testSoDoesNotFailWithNoTests() { protected HttpHost buildHttpHost(String host, int port) { try { InetAddress inetAddress = InetAddress.getByName(host); - return super.buildHttpHost(inetAddress.getHostName(), port); + return super.buildHttpHost(inetAddress.getCanonicalHostName(), port); } catch (UnknownHostException e) { assumeNoException("failed to resolve host [" + host + "]", e); } diff --git a/x-pack/qa/kerberos-tests/src/test/resources/plugin-security.policy b/x-pack/qa/kerberos-tests/src/test/resources/plugin-security.policy index fb7936bf62093..84219494bf2ce 100644 --- a/x-pack/qa/kerberos-tests/src/test/resources/plugin-security.policy +++ b/x-pack/qa/kerberos-tests/src/test/resources/plugin-security.policy @@ -1,4 +1,7 @@ grant { permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.kerberos.DelegationPermission "\"HTTP/localhost@BUILD.ELASTIC.CO\" \"krbtgt/BUILD.ELASTIC.CO@BUILD.ELASTIC.CO\""; + permission javax.security.auth.kerberos.DelegationPermission "\"HTTP/localhost.localdomain@BUILD.ELASTIC.CO\" \"krbtgt/BUILD.ELASTIC.CO@BUILD.ELASTIC.CO\""; + permission javax.security.auth.kerberos.DelegationPermission "\"HTTP/localhost4@BUILD.ELASTIC.CO\" \"krbtgt/BUILD.ELASTIC.CO@BUILD.ELASTIC.CO\""; + permission javax.security.auth.kerberos.DelegationPermission "\"HTTP/localhost4.localdomain4@BUILD.ELASTIC.CO\" \"krbtgt/BUILD.ELASTIC.CO@BUILD.ELASTIC.CO\""; }; \ No newline at end of file